CPRA Compliance Checklist

The California Privacy Rights Act (CPRA)'s effective date is 1 January 2023, and its lookback period is 1 January 2022. That means that if you are not compliant by now, it is time to get on the right side of the law. The California Privacy Protection Agency (CPPA) and the California Attorney General may come after you for any violations committed regarding the data you process at the moment.

But before we get into the CPRA compliance checklist, we need to figure out if the CPRA applies to you.

Who Must Comply with the California Privacy Rights Act (CPRA)?

CPRA applies only to for-profit businesses whose work is related to California and meets some thresholds.

The business is related to California if they operate from there or offer products and services to California residents. However, not all such businesses need to comply with California's data privacy laws.

They also need to meet at least one of the following thresholds:

• Their annual gross revenue (from January to December) is $25 million or more.
• At least 50% of their annual revenue comes from selling or sharing personal information. No matter how much the annual revenue is, as long as half of it comes from selling or sharing personal information, the CPRA threshold has been met, and you must comply with the CPRA.
• They buy, sell, or share with third parties the personal information of at least 100,000 California residents. It is easy to fall under the scope of CPRA according to these criteria because it includes sharing personal data with a third party. This means that if you collect the personal information of at least 100,000 Californians by installing Google Analytics cookies, Facebook Pixel, Twitter Pixel, or a similar tracking technology on your website, this CPRA compliance checklist is relevant.
  

What Should My CPRA Compliance Checklist Include?

Your CPRA compliance checklist depends on your business’s CPRA requirements as well as your business’s specifics. Some of the requirements apply only if you do certain activities. For example, you must only present users with opt-out links if you share or sell consumers’ personal information.

Process only the minimum amount of consumer personal information

CPRA is the first ever US state data protection law to introduce the data minimization principle. It requires you to process only the minimum necessary to fulfill the processing purposes. Therefore, ensure that you process only the data you must process to reach your goals and no more than that.

Update your privacy notices

You need to provide multiple privacy notices to your consumers, the most important of which must be provided at the moment of data collection. It must include the following:

• The categories of personal information that you process
• The purpose of processing consumer data
• Processing of sensitive personal information processing
• Categories of third parties with whom data is shared
• Consumer rights
• How to opt-out of the sale of personal information
• How to limit the processing of their sensitive data
• Data retention period
• The effective date of the notice and other information.

Other notices include the notice on the sale or sharing of personal information, limiting the use of sensitive personal information, and financial incentives.

Update your privacy policy

CPRA introduces new rights and some new general duties for businesses. These have to be part of your privacy policy. CPRA and CCPA privacy policy requirements are very similar, yet you may need to make some tweaks to accommodate the new CRPA requirements. Make sure you do it.

Ensure that you process personal data for adequate purposes

The purpose limitation principle in CPRA requires you to process adequate amounts of consumers’ personal information for your processing purposes. You should not process data that doesn’t fit the purpose. For example, you cannot collect and process phone numbers in cases where you need to process only email addresses.

Collect consent for processing the already-obtained data for a new purpose

You have collected and processed some personal information for the purposes you have listed in your CPRA privacy policy. Now you want to process the same data for a new purpose. You must obtain consumers’ consent before processing the data.

Establish a data retention policy

You must only store personal data for a while. You have to delete the personal information you don’t need anymore. Establishing a data retention policy is an excellent first step toward compliance with the retention requirements of the CPRA (CPRA Full Text Summary). In the policy, you need to list all the categories of personal information you process, the purpose of processing it, and the length of time you plan to store it before removing it from your servers.

Review your contracts with service providers

CPRA obliges businesses to ensure that their service providers process personal information within the boundaries set by the law. That’s why, in your written agreements with them, you must:

• Make sure the service provider meets the terms of the agreement;
• Specify that the personal information is sold or shared for specific and limited purposes;
• Oblige the service providers to protect the personal information they’ve been shared with;
• Require the service provider to notify you if they are no longer able to meet the contractual requirements;
• Make sure there are ways for your service providers to stop using your personal information without your permission and to fix the problem if they do.
• Ensure that the service provider implements adequate measures for data protection and security.

Consider conducting risk assessment and cybersecurity audits.

These are measures for avoiding data breaches. Risk assessments and cybersecurity audits will point out the vulnerabilities of your systems and inform your decision-making on data security.

You can start with a data mapping exercise to determine how personal information flows within your organization and identify potential risks. Once you know your risks, you’ll be able to protect your data better and avoid privacy risks.

Establish procedures for honoring consumer requests

Consumers have the right to know, access, correct, delete, port their data, and opt out. You must honor their requests within the CPRA deadlines, and you’ll do that easily if you have proper procedures.

If you are already compliant with the CCPA, you may have some procedures in place already. But the CPRA gave consumers new rights, so make sure that your internal policies and procedures also cover them.

Ensure that your procedures include methods for receiving requests as well as methods for verifying the requester's identity. Confirming the requester’s identity is essential to avoid disclosing personal information to an unauthorized person.

You can read more about responding to CPRA consumer requests here.

Do not retaliate against consumers who exercise consumer rights

Consumers have their rights, and you are obliged to comply with them. Do not retaliate against those who exercise their rights. The CPRA explicitly forbids it.

Provide consumers with a link to opt-out of the sale or sharing of their personal data

If you sell consumers’ personal information or share it with third parties, you must provide a link to "Do Not Sell or Share My Personal Information." That link should allow consumers to opt-out of the sale or share of their data.

Provide consumers with a link to limit the sharing of their sensitive personal information

Process or disclose to third parties consumers’ sensitive personal information, such as biometric data, health data, precise geolocation, social security numbers, driver’s license number, and similar data. You must allow users to limit their use of such information.

The CPRA requires you to do this by giving customers a link that says "Limit the Use of My Sensitive Personal Information." This link should take them to a page where they can change how you use their information.

Provide consumers with an alternative opt-out link

Instead of posting separate links for opting out of the sale, sharing, and processing of sensitive data, the CCPA and CPRA allow you to post single alternative opt-out link named “Your California Privacy Choices”.

Clicking the link shall take the consumer to a page where they could learn about their privacy options to make their mind and choose what is best for them.

Honor opt-out preference signals

Global Privacy Controls (GPC) is considered to be a valid request for opting out of the sale of sharing personal information. CCPA and CPRA-compliant businesses must honor such signals.

Obtain consent for the financial incentives program

You can opt-in consumers into your financial incentives programs, such as rewards and loyalty programs, only if they opt-in themselves. If they refuse, wait for 12 months before asking for opt-in again.

Obtain consent from parents when knowingly collecting children’s personal information for selling or sharing

Collecting children’s personal information requires obtaining consent from the child's parents. The consent must be explicit, freely given, informed, and unambiguous. You must not share or sell such information without consent.

Train your personnel

Finally, ensure that all your personnel are educated about the CPRA requirements to ensure that they won’t get your business into trouble with the California Attorney General and the CPPA.

How Does CPRA Compliance Compare with CCPA Compliance?

California Consumer Privacy Act (CCPA) and CPRA requirements are similar and will become even more aligned as the CPPA passes new CPRA regulations. Consequently, compliance with the CCPA and the CPRA takes similar efforts (Achieve CCPA/CPRA Certification with Secure Privacy). In many cases, privacy compliance with one of the laws will lead to compliance with the other one. Moreover, it may mean alignment with some new consumer privacy laws of the US states, such as Utah, Virginia, Colorado, and Connecticut. They all have passed new laws, and if you operate all around the United States, you have to consider their provisions.

In contrast to them, the European General Data Protection Regulation (GDPR) has different and more strict rules.